Friday, July 13, 2018

DNS and joining domain



Here is my situation. I have a 2012 Active Directory server with DNS installed on it. I also have a sonicwall nsa 240 router which i have acting as the DHCP server. On the sonic wall I set the dns entry to be the following:



primary - 172.16.0.6 (ip of the dns server)

secondary - 4.2.2.1



Everything works and I can even join the domain on client machines. however if i try and go to sam.sightly.com which is a webserver we host my browser comes back saying that the page cannot be displayed and to check my dns settings. However regular internet browsing works



If i flip the dns entry and go:



primary - 4.2.2.1
secondary - 172.16.0.6



My issue goes away however i can no longer join the domain, and I can go to sam.sightly.com




thanks in advance.


Answer



What you've done is created a split-brain DNS namespace. This is bad.



First of all, let's establish a few things.




  1. You should have more than 1 Domain Controller.


  2. You should run DNS on at least two of your Domain Controllers.



  3. Active Directory clients (your internal domain-joined PCs) should only point to DCs for their DNS.




Why is this happening?



Ok, now that that's out of the way, let's talk about why you're experiencing what you are. You seem to have an internal Active Directory named sightly.com. It sounds like this is also your publicly registered web presence. Domain Controllers have SOA and NS records for the DNS zone that they hold. They are authoritative for this zone. This means that any internal client using them for DNS will assume that your DCs have all of the hosts in the sightly.com zone. If you have a public website called sightly.com that's hosted externally, you'll notice that your internal clients can't get there either unless you have a subdomain like www. configured for it. This is because your Domain Controllers register themselves as sightly.com with same as parent A records in DNS.



So, you can see that there's a problem here since you now have two sets of DNS servers that think they're authoritative for the same sightly.com zone. You'll never be able to get to an external sightly.com without prepending something like www. unless you run a web service on each DC to redirect traffic externally (don't actually do this, it's bad). You can get to subdomains of sightly.com only if you duplicate the external DNS records on your Domain Controllers' copy of the sightly.com zone.



How can you fix it?





  1. Change your Active Directory domain name to be an unused subdomain of sightly.com. Something like internal.sightly.com or ad.sightly.com. If you've got a lot of machines joined and GPO configured, this might not be the best bet. But, by the sound of it, this isn't the case. Seriously, if it's at all possible - start over and name your AD correctly. I wrote a blog post and a Q&A about naming Active Directory. I strongly encourage you to read them before you do anything else.


  2. If you can't or won't rename your existing domain (I still think you should), then you'll have to make a duplicate DNS entry on your internal DNS zone for each external resource in sightly.com. So, somewhere in the cloud, you probably have a DNS host that keeps track of the DNS records for sam.sightly.com and every other external resource. You now have to keep duplicate records on your Domain Controller for all of these.







TL;DR
Maintain duplicate records on your internal DNS or rename your AD domain. If I were you, I'd rename if possible.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...